2026-01-07 11:23:13 +01:00
services:
authentik-db:
image: postgres:16-alpine
container_name: authentik-db
restart: unless-stopped
environment:
POSTGRES_DB: "{{ authentik_db_name }}"
POSTGRES_USER: "{{ authentik_db_user }}"
POSTGRES_PASSWORD: "{{ client_secrets.authentik_db_password }}"
volumes:
- authentik-db-data:/var/lib/postgresql/data
networks:
- {{ authentik_network }}
healthcheck:
test: ["CMD-SHELL", "pg_isready -d {{ authentik_db_name }} -U {{ authentik_db_user }}"]
interval: 30s
timeout: 5s
retries: 5
start_period: 20s
deploy:
resources:
limits:
memory: 512M
cpus: "0.5"
authentik-server:
image: {{ authentik_image }}:{{ authentik_version }}
container_name: authentik-server
restart: unless-stopped
command: server
environment:
# PostgreSQL connection
AUTHENTIK_POSTGRESQL__HOST: authentik-db
AUTHENTIK_POSTGRESQL__NAME: "{{ authentik_db_name }}"
AUTHENTIK_POSTGRESQL__USER: "{{ authentik_db_user }}"
AUTHENTIK_POSTGRESQL__PASSWORD: "{{ client_secrets.authentik_db_password }}"
# Secret key for encryption
AUTHENTIK_SECRET_KEY: "{{ client_secrets.authentik_secret_key }}"
# Error reporting (optional)
AUTHENTIK_ERROR_REPORTING__ENABLED: "false"
# Branding
AUTHENTIK_BRANDING__TITLE: "{{ client_name | title }} SSO"
2026-01-13 09:52:23 +01:00
# Email configuration
{% if mailgun_smtp_user is defined or (client_secrets.mailgun_smtp_user is defined and client_secrets.mailgun_smtp_user != "" and "PLACEHOLDER" not in client_secrets.mailgun_smtp_user) %}
AUTHENTIK_EMAIL__HOST: "smtp.eu.mailgun.org"
AUTHENTIK_EMAIL__PORT: "587"
AUTHENTIK_EMAIL__USERNAME: "{{ mailgun_smtp_user | default(client_secrets.mailgun_smtp_user) }}"
AUTHENTIK_EMAIL__PASSWORD: "{{ mailgun_smtp_password | default(client_secrets.mailgun_smtp_password) }}"
AUTHENTIK_EMAIL__USE_TLS: "true"
AUTHENTIK_EMAIL__FROM: "Vrije Cloud <{{ inventory_hostname }}@mg.vrije.cloud>"
{% else %}
# Email not configured - set mailgun_smtp_user/password in secrets
{% endif %}
2026-01-07 11:23:13 +01:00
volumes:
- authentik-media:/media
- authentik-templates:/templates
networks:
- {{ authentik_traefik_network }}
- {{ authentik_network }}
depends_on:
authentik-db:
condition: service_healthy
labels:
- "traefik.enable=true"
- "traefik.http.routers.authentik.rule=Host(`{{ authentik_domain }}`)"
- "traefik.http.routers.authentik.tls=true"
- "traefik.http.routers.authentik.tls.certresolver=letsencrypt"
- "traefik.http.routers.authentik.entrypoints=websecure"
- "traefik.http.services.authentik.loadbalancer.server.port={{ authentik_http_port }}"
# Security headers
- "traefik.http.routers.authentik.middlewares=authentik-headers"
- "traefik.http.middlewares.authentik-headers.headers.stsSeconds=31536000"
- "traefik.http.middlewares.authentik-headers.headers.stsIncludeSubdomains=true"
- "traefik.http.middlewares.authentik-headers.headers.stsPreload=true"
deploy:
resources:
limits:
memory: 1G
cpus: "1.0"
authentik-worker:
image: {{ authentik_image }}:{{ authentik_version }}
container_name: authentik-worker
restart: unless-stopped
command: worker
environment:
# PostgreSQL connection
AUTHENTIK_POSTGRESQL__HOST: authentik-db
AUTHENTIK_POSTGRESQL__NAME: "{{ authentik_db_name }}"
AUTHENTIK_POSTGRESQL__USER: "{{ authentik_db_user }}"
AUTHENTIK_POSTGRESQL__PASSWORD: "{{ client_secrets.authentik_db_password }}"
# Secret key for encryption (must match server)
AUTHENTIK_SECRET_KEY: "{{ client_secrets.authentik_secret_key }}"
# Error reporting (optional)
AUTHENTIK_ERROR_REPORTING__ENABLED: "false"
2026-01-08 16:56:19 +01:00
# Bootstrap configuration (only used on first startup)
AUTHENTIK_BOOTSTRAP_PASSWORD: "{{ client_secrets.authentik_bootstrap_password }}"
AUTHENTIK_BOOTSTRAP_TOKEN: "{{ client_secrets.authentik_bootstrap_token }}"
AUTHENTIK_BOOTSTRAP_EMAIL: "{{ client_secrets.authentik_bootstrap_email | default('admin@' + client_domain) }}"
2026-01-13 09:52:23 +01:00
# Email configuration (must match server)
{% if mailgun_smtp_user is defined or (client_secrets.mailgun_smtp_user is defined and client_secrets.mailgun_smtp_user != "" and "PLACEHOLDER" not in client_secrets.mailgun_smtp_user) %}
AUTHENTIK_EMAIL__HOST: "smtp.eu.mailgun.org"
AUTHENTIK_EMAIL__PORT: "587"
AUTHENTIK_EMAIL__USERNAME: "{{ mailgun_smtp_user | default(client_secrets.mailgun_smtp_user) }}"
AUTHENTIK_EMAIL__PASSWORD: "{{ mailgun_smtp_password | default(client_secrets.mailgun_smtp_password) }}"
AUTHENTIK_EMAIL__USE_TLS: "true"
AUTHENTIK_EMAIL__FROM: "Vrije Cloud <{{ inventory_hostname }}@mg.vrije.cloud>"
{% endif %}
2026-01-07 11:23:13 +01:00
volumes:
- authentik-media:/media
- authentik-templates:/templates
networks:
2026-01-13 09:52:23 +01:00
- {{ authentik_traefik_network }}
2026-01-07 11:23:13 +01:00
- {{ authentik_network }}
depends_on:
authentik-db:
condition: service_healthy
deploy:
resources:
limits:
memory: 512M
cpus: "0.5"
volumes:
authentik-db-data:
driver: local
authentik-media:
driver: local
authentik-templates:
driver: local
networks:
{{ authentik_traefik_network }}:
external: true
{{ authentik_network }}:
driver: bridge
internal: true
